Skip to main content

Fraudsters exploit weak bank security process to add fake cards on Apple Pay

Apple Pay Parking TIckets
Image used with permission by copyright holder
Where there’s a will, there’s a way, and it seems that fraudsters have finally found a way into Apple Pay. However, the problem seems to be less with Apple’s security system, and more with individual banks’ processes for verifying credit cards for the Apple Pay system.

Payment expert Cherian Abraham, who works with banks and businesses to set up mobile payment infrastructure, revealed the issue of fraud in a blog post. Fraud “is growing like a weed, and the bank is unable to tell friend from foe,” he wrote.

It seems that Apple has little control over how banks verify credit cards that are used on Apple Pay.

Abraham noted that fraud accounts for 6 percent of Apple Pay transactions, which is much higher than the 0.1 percent of card swipe transactions that are fraudulent. However, it turns out that fraud rates vary from bank to bank, depending on their security protocols.

An Apple spokesperson told the Wall Street Journal that Apple Pay is “designed to be extremely secure and protect a user’s personal information,” adding that “banks are always reviewing and improving their approval process, which varies by bank.”

In other words, it seems that Apple has little control over how banks verify credit cards that are used on Apple Pay. Apple only controls the user interface where users can input card information, not the security processes that confirm whether or not the card is valid.

Apple Pay stores encrypted payment data in a special, “secure element” on the phone, uses the Touch ID fingerprint sensor to prove that the iPhone’s owner is paying, and uses a token or numeric code to process the payment at the store, so that the actual credit card number is never communicated with the merchant.

The only time when fraudsters find a vulnerability in the system is when users add a credit card to Apple Pay. Apple simply sends the bank the following information so they can verify the card: kind of phone used, the last four digits of phone number, and the phone’s approximate location. The bank then verifies the card, declines it, or asks for more information to ensure that the user isn’t fraudulent.

According to Abraham, some banks made it incredibly easy for fraudsters to circumvent the added security. All they had to do was provide the last four digits of the target’s social security number, for example, which is easy enough to steal if you’re an identity thief.

It’s unclear what Apple is doing to combat these new fraudsters, but it seems that some banks are reevaluating their protocols to make sure customers’ cards stay safe.

Editors' Recommendations

Malarie Gokey
Former Digital Trends Contributor
As DT's Mobile Editor, Malarie runs the Mobile and Wearables sections, which cover smartphones, tablets, smartwatches, and…
The EU plans to escalate its Apple Pay investigation next year
Apple Pay sticker on a payment terminal

Apple is coming under fire in the European Union over its use of NFC in iPhones. The company debuted the feature with the iPhone 6, but restricted its use to enabling Apple Pay's mobile payment feature. The EU is reportedly preparing to file charges over this, with the intent of forcing Apple to open up its NFC chip to third parties, according to a Reuters report.

Mobile payments are an essential part of how modern smartphones are used, with both Google and Apple leading the charge on their respective mobile operating systems. While Android allows for some third-party integration -- Samsung Pay comes to mind -- Apple locks the use of NFC to its own Apple Pay solution. Not only does this mean that third-party payment providers can't operate on iPhones, but NFC capabilities like quick sharing effectively don't exist on the iPhone.

Read more
PayPal vs. Google Pay vs. Venmo vs. Cash App vs. Apple Pay Cash

Money makes the world go 'round. Whether you owe a friend for drinks or you need to send rent money to your roommate, the easier it is to transfer money to friends and family, the better.

With modern technology, there are plenty of great options for sending money to others. Sure, PayPal may be the best-known of these services, but it's certainly not the only one. Google reorganized Android Pay and Google Wallet into a single service called Google Pay. Then there's Venmo, which has skyrocketed in popularity, and Cash App, built by payment company Square. Perhaps it was a little late to the game, but we can't forget about Apple Pay Cash.

Read more
U.K. to double Apple Pay and Google Pay contactless payment limit
magsafe wallet is actually good apple 1

The U.K. is set to double the existing contactless payment limit, taking it to 100 British pounds, or about $140, over the summer, the BBC reported on Wednesday. Contactless payment is widespread in the U.K., not just through physical credit and debit cards, but by using mobile payment systems like Apple Pay and Google Pay too.

The previous limit was established as 45 pounds/$62 in 2020, a small rise from the prior 30/$42 pounds limit. Contactless payments have seen an increase in utility over the pandemic as cash has been downplayed due to fears of viral transmission. Contactless payments have also been adopted by new-style online, app-based banks such as Monzo, where payment can be made instantly from phones, even without having a corresponding physical card.

Read more